How to configure SSO with an LDAP identity provider

Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.

TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP).

Note: Single sign-on is available with the Basic, Plus and Premium subscription plans.

To get started, you need an LDAP identity provider (IdP) to handle the sign-in process and provide your users’ credentials to TalentLMS.

The information required by TalentLMS is:

A unique identifier for each user.

The user’s first name and last name.

The user’s email.

When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.

To configure LDAP-enabled SSO you need:

The URL and the port of your LDAP identity provider (IdP).

The domain of your LDAP server to allow incoming connections from TalentLMS.

The DN pattern of your LDAP configuration.

The username attribute of your LDAP configuration.

Let’s start!

Enable LDAP SSO on your TalentLMS domain

1. Sign in to your TalentLMS account as an Administrator, go to Home > Account & Settings >Users and click Single Sign-On (SSO).

2. SSO integration type: From the drop-down list, select LDAP.

3. LDAP server: The domain or the IP address of your LDAP server.

4. Server port: The port of your LDAP server.

5. SSL/TLS enabled: Select Yes if your LDAP server supports SSL/TLS.

Note: If yes, the LDAP server above must follow the “ldaps://ldap-hostname” pattern and, in most cases, the Server port is set to 636.

6. Bind DN and Bind password: Optional. Type the Bind DN and the Bind password as found on your LDAP server configuration.

7. DN pattern: Type the DN pattern of your LDAP configuration that allows user authentication to the LDAP database. The DN pattern is part of the authentication string that consists of:

The user-defined username as found in the log-in form (e.g., talentuser).

The DN pattern (e.g., ou=people,dc=example,dc=org).

Based on these examples, the authentication string that’s sent to your LDAP server is: uid=talentuser,ou=people,dc=example,dc=org.

The remaining fields are used for the LDAP attributes that contain the user data required by TalentLMS and provided by your IdP. They are optional, and they can be left blank for most LDAP IdP deployments. In that case, their default values are applied.

Note: That’s the username value that combines with the user-defined username and the DN pattern to form the authentication string that’s sent to your LDAP server.

9.Full name: Type the attribute for the user’s full name. The default value is displayName.

10. Email: Type the attribute for the user’s email. The default value is mail.

Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your LDAP IdP and TalentLMS.

11. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.

User Account Matching

At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.

When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.

To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts.

User Profile

Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.

We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.

When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that: